Analysis

  • max time kernel
    63s
  • max time network
    66s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16-11-2024 17:52

General

  • Target

    FixedBootstrapper1.exe

  • Size

    4.8MB

  • MD5

    12d7d6f7372db4da1e1242bd2efc8ae8

  • SHA1

    fcde71dec007c4ad3656eb9ab2ff9d4a066e6f1b

  • SHA256

    e4d875f0cbd3ec785d08862382e4c139496d78d54daf985e78a54883ef0fa8dd

  • SHA512

    d07ce82badc014650a0464daa1a315dc6a51be4b3495738c9be0c08f81980f37e6d6b8baed32eb6227bee9a4c062a87f582b0333391ef59b413ef62ae1b6b777

  • SSDEEP

    98304:0xsTP26lnPgfjAyAzffPJFSZ0kZP2avl16aEQFluJvY/b0xtR:0xsTuoPgfVAznPkb3VLalY/bi

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 21 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\FixedBootstrapper1.exe
    "C:\Users\Admin\AppData\Local\Temp\FixedBootstrapper1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe
      "C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe
        "C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3872
        • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe
          "C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:1892
      • C:\Users\Admin\AppData\Local\Temp\coloader.bat
        "C:\Users\Admin\AppData\Local\Temp\coloader.bat"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1468
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Chainperf\v4uTzNmDRk.vbe"
          4⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4812
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Chainperf\cgzjncvQyIdVX7ls38qYv.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4888
            • C:\Chainperf\fontsvc.exe
              "C:\Chainperf\fontsvc.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:5420
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Chainperf\hTUnoY.vbe"
        3⤵
        • Checks computer location settings
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1248
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Chainperf\j2XzyEby.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Chainperf\fontsvc.exe
            "C:\Chainperf\fontsvc.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1452
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3812
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2620
                • C:\Program Files\Windows Mail\smartscreen.exe
                  "C:\Program Files\Windows Mail\smartscreen.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:1168
    • C:\Windows\system32\notepad.exe
      "C:\Windows\system32\notepad.exe"
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:3844
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5476
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office16\wininit.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2100
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5636
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1112
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:6024
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\Application\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3472
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smartscreen" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2284
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smartscreens" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\smartscreen.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5848
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Chainperf\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Chainperf\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Chainperf\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1416
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Chainperf\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Chainperf\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Chainperf\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:5184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3540
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2068
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3320

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Chainperf\csrss.exe

      Filesize

      2.6MB

      MD5

      28bb43cb9b8ebbb3c99a835f79fbe54b

      SHA1

      e4c5eb19d1869b3b697ea993d0c161406ad2e5da

      SHA256

      709bd0907308ceb5e14e480e6c3fd68eee02578c780dc930e6510a4d86f10ff3

      SHA512

      2d824f5fa7b4121b244d9dc63aae3c60ecfef9eb7de1c3b36c9e174c834ec3053e1f30c453bd403e3c64495bdf5e5f15dd68c239271ccc190c3d9d3193dd9ff7

    • C:\Chainperf\fontsvc.exe

      Filesize

      2.6MB

      MD5

      b43eb1570f1db9f4d0a87879b974437c

      SHA1

      8ba1be5e82f452d464bc8b096e2861b223163c7c

      SHA256

      467b59a8744100fa4992ea3f7fa40de43338d86fa2008df392b7db19a8d90c25

      SHA512

      b90dd28b8c783122e24970409d37efa31c2570e02f84d4e4d2940183b9c1806067b34b60b41cced6d4f86fa7e7d3e63ecd4a5ed93b3d167ca3007e571e9b761a

    • C:\Chainperf\hTUnoY.vbe

      Filesize

      195B

      MD5

      14d81562e8d7dbc0a2a134a5c9628702

      SHA1

      ac6608ff041dc83244a6d690361789500e218278

      SHA256

      8c5c776f71fe80369caddb3052aff6271febba8f32db5b79fe09e35cd117bb0b

      SHA512

      5ca0894dad3264984aabeb27b376e4ee20a0cf630b6381a6ebb335fd79a4f5a745f86c961a2e00eb9aef31ff88c25badb965772b96ad7e78e492277550df61d7

    • C:\Chainperf\j2XzyEby.bat

      Filesize

      26B

      MD5

      4920cb6044ceea5854ff65872d50650e

      SHA1

      63c8c0362d9846b78682f4a6218b3f462847122d

      SHA256

      926ec2c6e83a5ff06b38d0beea444dfbf461cef3f82d91ba617535727501e09e

      SHA512

      a5b502e29bf5db4c731d2a40b0553a7247f7d61a88ebf9cc07d55741b8f529c3c8f3634789557a19141c3f9121f27f0d568cfac48a8b13ef6ede34bb8568095f

    • C:\Chainperf\spoolsv.exe

      Filesize

      2.6MB

      MD5

      61ab016a26c52471188084adc95a9245

      SHA1

      0cd2de1499c0fba3ce903d202c526b3610e2dc19

      SHA256

      292060c9a6a48f7954396e58d6084c881012dd492a2cc7da6d3671ed808f43ba

      SHA512

      2962e05479e6e4c2bac75fce79a825f6ed8bdea4d6f077e02a43ae892c093d4396d8937952bcbdec90a2e0fda98718228fac665f2d07cf913eb5b97918667062

    • C:\Chainperf\v4uTzNmDRk.vbe

      Filesize

      208B

      MD5

      fee6b802bc54e4017d5170f8f2f32d7b

      SHA1

      282cffc756bb4ef62262f28cc3a9894285b2fbdb

      SHA256

      26b35277127596094f3b7376634ea98b8623f346894fec1581c648649d69bb03

      SHA512

      dc78cff3abb518ca749d6c79f895cb0f1a7c73a2cd8d40d6fa01cb34c4076411c7f62f0f32bdf103cc590ed09195159dce9f1c241b38c6f966cc197d71bb0723

    • C:\Program Files\Microsoft Office\Office16\wininit.exe

      Filesize

      2.6MB

      MD5

      8a4df2057238f359240dc30946171255

      SHA1

      e18717f6bbba3065a0d69808781cff92f22a6dc3

      SHA256

      7f743f9887dcbd380d26b93d98d76709e72014cc6ecc639d21f67ebab04608db

      SHA512

      515c32bb52d903fda727aeb25d529c5b0ed3f8a7a1f4d740fc6189d9748280ae642880e18829dd5f1bb900967c3a05476c07f875bfaa237a4ac25c6be29f5784

    • C:\Program Files\Windows Mail\smartscreen.exe

      Filesize

      2.6MB

      MD5

      81fa8f507b22bda8ed0cde8608536d22

      SHA1

      01734053db9e62f3478d7cb4b6a2c8f85da7b29e

      SHA256

      6e2ab2da4f49a309a5780068f7ec000a45318fb3af23854ac8c417e9c0d4b1f6

      SHA512

      14e1a0caae0825a127f583799b0373be987b6c31070e00ff13f41ca67fbd52b6b71404303c99f5013d6844726799a62c417dfa90cdc2f2a7aa2dccdcb3ab7e47

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontsvc.exe.log

      Filesize

      1KB

      MD5

      340f7d929ebbc3218c7c80bb773799de

      SHA1

      d6246e1ec0a00c25283d12ca60108f6c8888bb1c

      SHA256

      818c3b409a489f80f5ebc50338ea66ea8a4d90d3d35c4f41d37861dfdbd3da04

      SHA512

      083198c6adc0b14dc6cc3ab9235450aa7ca3b49b5342949771d216f6cd2a82187f02665a803e9ad88064797b78aafdd1aac11f8da1442bfabb0ee72454841d56

    • C:\Users\Admin\AppData\Local\Temp\Bootstrapper (1).exe

      Filesize

      2.4MB

      MD5

      7288fa841bea76ca83489df7eafcffe4

      SHA1

      2ab384971a7e4d60a3dc84ba727779379abb06b4

      SHA256

      73827a9be154cc1b7d695beebe67ac9d875c7069baf512dca6eb28d6090bdba2

      SHA512

      b323e6fbdafdd098b94648b7d27d7008a96b90853de5315919106416e23148d922fba13e3f8c2ba857e7a2f6913f5bc8f8a3625b216f7eab11623d69188ce435

    • C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.exe

      Filesize

      30KB

      MD5

      2ab717edcfc55d3ec5c2c26db00ccaf6

      SHA1

      4c6aeca51011ebb8ceed6ab955e184f7bbb1dd1e

      SHA256

      117949b2d79a0db89fa3cae4a003fd8c4dfe315b249d4fec3e624ab17a92ba79

      SHA512

      16029d7e67f91c11d5e3c6bcbd9742b926674bf158a59dec98585ddb833dbca8e5f02b14ad10b1d613e962ab7a38fc6bfa0e6dd58a184b5ecac4b25e84078af9

    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

      Filesize

      2.9MB

      MD5

      aba3f025085150b0a5481349345c290b

      SHA1

      9872b69f6c4ece69de2eba82e0201d587ce2c661

      SHA256

      1074caabe40da07f7b3737dc1338b68c767e9b8fd087230d650f7eb9da48d0ab

      SHA512

      9db2470bab928bfc7cb3a56aec753b814af7dd88f62c7cc4765621c9040b7fc54eef211536ac01830357fdb77447c4d52cb062943dc01d335056802dc37007b2

    • C:\Users\Admin\AppData\Local\Temp\RezWare\Microsoft.Web.WebView2.Core.dll

      Filesize

      581KB

      MD5

      3d9465d5161ac2ab5a83265935514349

      SHA1

      5d40047faf2a166e6c25f106c244b5826bd0aad9

      SHA256

      24d1f432632c971456e6db676f609772b98d0cf3d3a5450c78d3dbb75744399e

      SHA512

      8d84de25fcb88ad6786de9f077612d356eed8726a50e9b6c44a3dff456ca8a160e0707cd1902b52e4890f97f4a5a72466ac149e71d1e790267141a6710ecc70d

    • C:\Users\Admin\AppData\Local\Temp\RezWare\Microsoft.Web.WebView2.Wpf.dll

      Filesize

      81KB

      MD5

      b8766e71b537b000f020ae51284ab4cd

      SHA1

      4731f26cb74c8c2f6addea537dde860cd94321ac

      SHA256

      7b0ad54180a2b6c4443a68c93309c1e4196e9baaeb0a6c58ca5b192ed0ce8615

      SHA512

      b1e7d7dd971fd0fc8ce777ca0942add849f77de8a50a0ce4d117d18bee06dce4dd98622a4dbe44e11bc199646e388917255328191789c25f68f0809ee8eebc34

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.deps.json

      Filesize

      2KB

      MD5

      b792378cb2aea10976c3105a40682054

      SHA1

      86f17ad3859c50a1143ca1b34bd0488db072955b

      SHA256

      c5c0e3c6a831591a2f880eedba19559e3247ef3bac4bee5be2a7cda3e42de41c

      SHA512

      672ea1bcb8b78409d015f9b6ef1cc3c6db0d9c095a3cef9f15bc6bdeec3e770265996201cc7f07c8679058dcd3818c0b67bd892f669a031bd3f29aa023a5763d

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.dll

      Filesize

      269KB

      MD5

      872696973b682795ce08aaa146ec592c

      SHA1

      d7b2f85e82d729500e89cd57fb33a8402ed8619c

      SHA256

      cda4b46cd902560799fb15ba73f461743b113b95059c32d0c4dd4626312675cd

      SHA512

      fca468bcd87d7738762170371c5491fb3999bbce7c0e3e0c833df7d30339956dc6ef92678c6b81e1fd6f87e09b42906b0807cae073c4dad2290331cfa9130dbd

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe

      Filesize

      197KB

      MD5

      519bfcee8788448f7afede8ed92d1368

      SHA1

      81326547e415281711cf5d26240ef288bf260a0e

      SHA256

      36919fc389c74858e9497ca15a181f6b295a842edd78557b5f4efd36a0080c87

      SHA512

      6a515c6f337997e0972f7d580ac025a6d3da32a44267610229dd47a10260640711270efd5afa080bcd17d13047e0a5337902368069806691d07b2acd77f1e483

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

      Filesize

      8KB

      MD5

      0962291d6d367570bee5454721c17e11

      SHA1

      59d10a893ef321a706a9255176761366115bedcb

      SHA256

      ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

      SHA512

      f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Extension State\CURRENT

      Filesize

      16B

      MD5

      46295cac801e5d4857d09837238a6394

      SHA1

      44e0fa1b517dbf802b18faf0785eeea6ac51594b

      SHA256

      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

      SHA512

      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

      Filesize

      41B

      MD5

      5af87dfd673ba2115e2fcf5cfdb727ab

      SHA1

      d5b5bbf396dc291274584ef71f444f420b6056f1

      SHA256

      f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

      SHA512

      de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\GPUCache\data_0

      Filesize

      44KB

      MD5

      93402cc1d2e8a195a963fce311377a2b

      SHA1

      4e3b823b142f98527ff4611cb23c70bfa599bd39

      SHA256

      a1b4a062523b9461b19db3a7a2eaffa093c018db9e1bff9bc2b910e02734f75f

      SHA512

      db462fc624e0a9b3fffb0182c24d30389f951e6a8a46a578fca7125f11e33cced489a3eaa1b7db35bb975b32e3bb996fa296dcf1e491bcd3acb1f97c03eac4f6

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\GPUCache\data_1

      Filesize

      264KB

      MD5

      aabcf0c28e69a6dcede53d6308353172

      SHA1

      32d5846fba676ae54511f6d72cf70b36300580fc

      SHA256

      96d2810647658e1292acb5caa78945e8d5b65ba65844e37c33a5728e477760a4

      SHA512

      f642078e42d4ced46df4cda281c1398e7b798ff90d530a9ac209e54b786f90fb9f7484c96f63f7dae78fa2616810c5285eb28661d90d3374c378a514c5ade863

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\GPUCache\data_3

      Filesize

      8KB

      MD5

      41876349cb12d6db992f1309f22df3f0

      SHA1

      5cf26b3420fc0302cd0a71e8d029739b8765be27

      SHA256

      e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

      SHA512

      e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

      Filesize

      24B

      MD5

      54cb446f628b2ea4a5bce5769910512e

      SHA1

      c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

      SHA256

      fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

      SHA512

      8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

    • C:\Users\Admin\AppData\Local\Temp\RezWare\RezWareUi.runtimeconfig.json

      Filesize

      386B

      MD5

      186a65581e2f29258f54d396660409fa

      SHA1

      6f998d3be2e85cb5419205f867135874f27c0a3a

      SHA256

      e1e0974d0e8833375024eb7c78521b3b5cad4228aad22b23d506cbe702445844

      SHA512

      7dea87b523aab01ea3c794779b71bc0b52179e1d5e7b9a45539ddd39c775969ef22853c4c193699aec1e3fa3cbe26e90e3a4881226c52a3aacae1eac260ff896

    • C:\Users\Admin\AppData\Local\Temp\RezWare\runtimes\win-x64\native\WebView2Loader.dll

      Filesize

      162KB

      MD5

      0ad9319fa14d39c0812583337546ca20

      SHA1

      0a76b27dc44f46756984a7a5f93f9a9b024aedb5

      SHA256

      1d963a02d8a7fa3e7eac2e936dad5559c4d63327f35b0a09787ffc1d58f9c18d

      SHA512

      01bfb6516ea8d2347863fdf6de7ce1bc598d0798a7a388a0b4478a8be4bad66362185f366ed52adb19008f518c05fbaedf46268051bbf26e448e23b017af669f

    • C:\Users\Admin\AppData\Local\Temp\RezWare\workspace\.tests\isfile.txt

      Filesize

      7B

      MD5

      260ca9dd8a4577fc00b7bd5810298076

      SHA1

      53a5687cb26dc41f2ab4033e97e13adefd3740d6

      SHA256

      aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

      SHA512

      51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

    • C:\Users\Admin\AppData\Local\Temp\coloader.bat

      Filesize

      2.9MB

      MD5

      e98585e959567dccbbca136f31985860

      SHA1

      7fbd2fe1ab08a183e12bdbb4001991a0161d0a1f

      SHA256

      75d6a27004712293186fcfc12119b369530254e57c6404115f7a5a9a05654ebe

      SHA512

      a81a99dd6216cfdc4f09a02c47a7cb95128725596d46d04fb881a9495bf97a222dc3ad8b6d41a3688aac7a2742aff416a9cd47b6317a0827bfd6515b1ff7957d

    • C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat

      Filesize

      210B

      MD5

      f86020a34ea663275ceef5f30e3a6bad

      SHA1

      fc5357fc68cc380c6fb09b5ae129b388f556e679

      SHA256

      0a350e1f413a67b6e78ed2e4835ab7153ababc5de3d444bdd3d693acaa79203f

      SHA512

      192cef527518bc6f20db97c48f08c73b275fcd84d9298612ba4e6425a4d4a9f3269d87bf5cc12b6f0dab449b851ac83967fd0cf8173a3fb101eaed1d3789823e

    • C:\Users\Default\fontdrvhost.exe

      Filesize

      2.6MB

      MD5

      063e87290df6398d2d211108927f048b

      SHA1

      f1019198d2d851d868f053d46ec2b09be0c4c33e

      SHA256

      35e7d70077918bbeac46a836cf2207cc2c19db39fef59af5bfd0eef74245e0a0

      SHA512

      038b9eb7424cad5e23f5a0862c33b18d207c7ddfc666dde0e3c807b6ef63b371b46ce497a8abeb295e2b4a34a5c089eae52b754fdbf8258251422fc29bd99ed5

    • C:\Users\Public\AccountPictures\MoUsoCoreWorker.exe

      Filesize

      2.6MB

      MD5

      2e603d0c8dc89ccb2700e0d87716cf67

      SHA1

      80da23c1f8fa606690941b1c3c56a9687a16f168

      SHA256

      379634a7d77b0fe012a8962cd133e6b614056bdb4bc0e7df1d7504b3df2a18a2

      SHA512

      57f867ab5b53c6ce0821d0882d0883ee6c57ccad571fb5f550600ae27f70e55599035b3ba8da7890bceed3da8d1bc209a4e57529f49297021b68eafaa2a30d52

    • C:\Windows\Vss\Writers\Application\RuntimeBroker.exe

      Filesize

      2.6MB

      MD5

      4c1ec492248a7c56ae467fff49c38980

      SHA1

      619c221be4cd22cf729e275f4be58bd9ff5b1db9

      SHA256

      3faad1de215ddf652ad826261c3a7550b9eba8b4e86ffb0c90fbb40f6d1a31f4

      SHA512

      3b0e2dff5bedc570bc349f01c879db19497f1933c9cc9092d96372eca1e5dd02fa424cd18cccb8c71f5a7617b894bf6e37e89522aad0833c70fa10ace31801ea

    • memory/1168-948-0x0000000000C60000-0x0000000000F08000-memory.dmp

      Filesize

      2.7MB

    • memory/1452-859-0x000000001B830000-0x000000001B838000-memory.dmp

      Filesize

      32KB

    • memory/1452-861-0x000000001B850000-0x000000001B85E000-memory.dmp

      Filesize

      56KB

    • memory/1452-847-0x000000001AFB0000-0x000000001AFCC000-memory.dmp

      Filesize

      112KB

    • memory/1452-848-0x000000001B020000-0x000000001B070000-memory.dmp

      Filesize

      320KB

    • memory/1452-850-0x000000001AFD0000-0x000000001AFE0000-memory.dmp

      Filesize

      64KB

    • memory/1452-849-0x00000000026D0000-0x00000000026D8000-memory.dmp

      Filesize

      32KB

    • memory/1452-852-0x000000001B000000-0x000000001B008000-memory.dmp

      Filesize

      32KB

    • memory/1452-853-0x000000001B010000-0x000000001B01A000-memory.dmp

      Filesize

      40KB

    • memory/1452-851-0x000000001AFE0000-0x000000001AFF6000-memory.dmp

      Filesize

      88KB

    • memory/1452-854-0x000000001B190000-0x000000001B1E6000-memory.dmp

      Filesize

      344KB

    • memory/1452-855-0x000000001B070000-0x000000001B078000-memory.dmp

      Filesize

      32KB

    • memory/1452-856-0x000000001B1E0000-0x000000001B1F2000-memory.dmp

      Filesize

      72KB

    • memory/1452-845-0x0000000000200000-0x00000000004A8000-memory.dmp

      Filesize

      2.7MB

    • memory/1452-858-0x000000001B820000-0x000000001B828000-memory.dmp

      Filesize

      32KB

    • memory/1452-857-0x000000001BF50000-0x000000001C478000-memory.dmp

      Filesize

      5.2MB

    • memory/1452-846-0x00000000026C0000-0x00000000026CE000-memory.dmp

      Filesize

      56KB

    • memory/1452-863-0x000000001B870000-0x000000001B87A000-memory.dmp

      Filesize

      40KB

    • memory/1452-862-0x000000001B860000-0x000000001B86C000-memory.dmp

      Filesize

      48KB

    • memory/1452-860-0x000000001B840000-0x000000001B84C000-memory.dmp

      Filesize

      48KB

    • memory/1680-0-0x00007FFE20A83000-0x00007FFE20A85000-memory.dmp

      Filesize

      8KB

    • memory/1680-31-0x00007FFE20A80000-0x00007FFE21542000-memory.dmp

      Filesize

      10.8MB

    • memory/1680-3-0x00007FFE20A80000-0x00007FFE21542000-memory.dmp

      Filesize

      10.8MB

    • memory/1680-1-0x0000000000260000-0x0000000000740000-memory.dmp

      Filesize

      4.9MB

    • memory/3188-66-0x00007FFE20A80000-0x00007FFE21542000-memory.dmp

      Filesize

      10.8MB

    • memory/3188-20-0x0000000000B00000-0x0000000000D76000-memory.dmp

      Filesize

      2.5MB

    • memory/3188-19-0x00007FFE20A80000-0x00007FFE21542000-memory.dmp

      Filesize

      10.8MB

    • memory/3872-80-0x0000000006790000-0x00000000067A2000-memory.dmp

      Filesize

      72KB

    • memory/3872-79-0x0000000006760000-0x000000000676A000-memory.dmp

      Filesize

      40KB

    • memory/3872-68-0x0000000000910000-0x000000000091E000-memory.dmp

      Filesize

      56KB